Sql injection biasa berlaku kat login form. Katakan query anda seperti ini:

sql_send("insert into yajiv (name) value ('$name');");

Biasanya SQL Injection attack dilakukan pada Login form:

User akan memasukkan username'nya (dalam field username) sebagai contoh di bawah
Yajiv')"; delete * from names;

Oleh Itu, SQL akan query berikut:
insert into names (name) value ('Yajiv')"; delete * from names;');

Sekarang query default telah berubah kepada query baru. Sekiranya database tak secure, semua data dalam table names akan hilang

Untuk mengelakkan kejadian di atas berlaku function berikut boleh membantu:


<?PHP
function stripQuotes($strWords)
{
$strWords = str_replace("''", "'", $strWords)
return $strWords ;
}
function killChars($strWords)
{
$badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_") ;
str_replace() ;
foreach($badChars as $current)
{
$strWords = str_replace($current, '', $strWords);
}
return $strWords ;
}
?>


Masukkan Code berikut dibahagian login process:
$login = stripQuotes( $_POST['user'], $_POST['pass']

Oleh itu, function ini akan menapis ayat-ayat berikut:

select
drop"
;
--
insert
delete
xp_

(Anda boleh edit sendiri)

Sekarang site dah selamat daripada SQL Injection. Untuk keterangan lanjut sila layari:

http://www.sqlsecurity.com/


Selamat Mencuba

correction!!!

Script Kiddy..
or Cracker...

bukan Hacker!~

__________________
<b><i>Only the paranoid survive</i> - Andy Groove</b>

wuteva la... hehe.. yg penting.. msg tu penting.. :P hehe

Script kiddy, cracker and hacker.... is diffrent thing....

__________________
<form name="jump">
<select name="menu" onChange="location=document.jump.menu.options[document.jump.menu.selectedIndex].value;" style="border:1px #393F31 solid;color:#393F31;font:10px Verdana;font-weight:bold;" >
<option value="0" style="background: #9CC8FE" selected>*SELECT-LINKS</option>
<option value="http://www.gengturbo.org/" style="background: #FF0000">GENGTURBO</option>
<option value="http://www.phixelgrafix.com/" target="new" style="background: #C6D607">PHIXELGRAFIX</option>
<option value="http://dailydigital.phixelgrafix.com/" style="background: #FCBC45">OLD-BLOG</option>
<option value="http://www.mesrahosting.net/" style="background: #FF99CC">WEBHOSTING</option>
</select>
</form>

oklah .. .aku dah edit balik... tutorial aku tu.. .... aku lemah lah dalam hal hacker/cracker ni semua..

hehehe,.. takpe... usaha anda sgt dihargai.. bagus sekali artikel tuh

oit YajivMalhotra, buh sekali la... XSS vuln ngan remote shell execution thru PHP code.... depa nak tau gak tue....

__________________
<form name="jump">
<select name="menu" onChange="location=document.jump.menu.options[document.jump.menu.selectedIndex].value;" style="border:1px #393F31 solid;color:#393F31;font:10px Verdana;font-weight:bold;" >
<option value="0" style="background: #9CC8FE" selected>*SELECT-LINKS</option>
<option value="http://www.gengturbo.org/" style="background: #FF0000">GENGTURBO</option>
<option value="http://www.phixelgrafix.com/" target="new" style="background: #C6D607">PHIXELGRAFIX</option>
<option value="http://dailydigital.phixelgrafix.com/" style="background: #FCBC45">OLD-BLOG</option>
<option value="http://www.mesrahosting.net/" style="background: #FF99CC">WEBHOSTING</option>
</select>
</form>

pasal shell execute tu.. hehe... depa tak pasti...:P .... tapi cross site script attack .. tahulah sket sket....

Another good resource:

http://www.owasp.org/index.jsp

(Look under documentation)